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ABSTRACT: 

Methods  for  verifying  programs  uritten  in  a higher  level  programming  language  are 
devised  and  implemented.  The  system  can  verify  programs  uritten  in  a subset  of 

PASCAL,  which  may  have  data  structures  and  control  structures  such  as  WHILE, 

RtPEAT , FOR,  PROCEOURE,  FUNCTION  and  COROUTINE.  The  process  of  creation  of 
verification  conditions  is  an  extension  of  the  work  done  by  Igarashi,  London  and 

Luckham  which  is  based  on  the  deductive  theory  by  Hoare.  Verification  conditions 

are  proved  using  specialized  simplification  and  proof  techniques,  which  consist 
of  an  arithmetic  simplifies  equality  replacement  rules,  fast  algorithm  for 
simplifying  formulas  using  propositional  truth  value  evaluation,  and  a depth 
first  proof  search  process.  The  basis  of  deduction  mechanism  used  in  this  prover 
is  Gentzen-type  formal  system.  Several  sortirg  programs  including  Floyd’s 
TREES0RT3  and  Hoare’s  FIND  are  verified.  It  is  shown  that  the  resulting  array  is 
not  only  well-ordered  but  also  a permutation  of  the  input  array. 
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Introduction 


Verifying  that  programs  work  faultlessly  is  a necessity.  We  can  test  whether  they  work  or  not 
in  several  cases.  But  unless  we  prove  the  correctness  of  programs,  it  is  impossible  to  claim  that  they 
endure  lor.g  lasting  usage.  Since  proving  by  hand  is  cumbersome  and  not  always  free  of  errors, 
mechanization  of  verification  is  strongly  desired. 

Some  attempts  have  been  made  to  verify  programs  mechanically  [l],[2],[10],[l  I),  but  there  are 
several  problems  which  must  be  solved  in  order  to  make  automatic  verification  of  programs 
practical 

First,  we  have  to  find  a way  to  express  assertions  more  easily.  Most  of  the  previous  verifiers 
require  asseitions  to  be  written  in  first  order  predicate  sentences  with  a fixed  number  of  predefined 
predicate  symbols  and  function  symbols.  But  this  is  in  many  cases  inconvenient  and  infeasible.  For 
example,  if  we  have  to  deal  with  the  correctness  of  programs  with  complex  data  structures,  we  need 
to  express  properties  in  higher  order  sentences.  Thus,  many  complex  programs  have  not  been 
verified  because  the  assertions  about  programs  have  not  been  properly  stated. 

Second,  we  have  to  find  a better  way  to  prove  verification  conditions  automatically.  Proving 
verification  conditions  using  a general  automatic  theorem  prover  is  in  most  of  the  cases 
unsatisfactory.  If  we  are  verifying  programs  in  specific  domains,  we  ca.n  use  special  properties  of 
functions  and  predicates  to  construct  fast  special  purpose  provers.  KingtlO]  and  Deutsch[2]  have 
succeeded  by  using  a built-in  simplifier  for  integer  arithmetic,  but  these  programs  still  cannot  cope 
with  other  domains 

In  most  ve  ification  systems  the  user  must  specify  lot  only  input  and  output  conditions  but 
also  loop  invariants.  Although  it  is  an  undecidable  problem  to  generate  loop  tnvariants,  the  system 
should  aid  the  programmer  in  constructing  loop  invariants.  Also,  programs  with  complex  data 
structures  and  complex  control  structures  must  be  verified,  including  parallel  programs. 

In  this  paper  we  describe  a fast  simplification  and  theorem  proving  facility  that  is  a new 
component  of  the  Stanford  PASCAL  Verification  System  described  by  Igarashi,  London  and 


Luckham  m [9].  This  system  permits  the  programmer  to  formulate  the  semantics  of  his  data 
structures,  procedures,  and  functions  in  simple,  natural  statements.  These  statements  are  used  by  the 
system  as  implication  and  special  theorem-proving  rules  during  verification.  So  programs 
computing  over  any  domain  can  be  dealt  with  easily. 

As  an  example,  automatic  verification  of  a sorting  program  is  studied  in  detail.  It  is  shown 
that  not  only  is  the  resulting  array  ordered  but  also  it  is  a permutation  of  the  input  array.  The 
verification  of  Floyd's  TREESORT  program  and  Hoare’s  FIND  program  are  listed,  both  of  which 
are  verified  within  a reasonable  amount  of  computation  time,  Because  these  programs  are  complex, 
and  use  data  structures-in  this  case  an  array  data  structure,  whose  semantics  has  not  been  studied 
well  they  have  been  considered  as  one  of  the  big  challenges  for  automatic  verification.  Thus  our 
method  of  verificatio  n is  very  promising  for  practical  use. 
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II.  Expressing  Assertions  by  Structured  Definitions. 

Here,  we  make  a few  comments  about  how  the  user  of  the  system  might  construct 
documentation  in  a way  that  aids  the  verification  of  his  program.  The  main  idea  is  to  use  defined 
concepts  that  are  close  to  the  natural  concepts  employed  in  creating  the  program. 

As  is  discussed  in  the  previous  section,  it  is  impossible  to  state  all  properties  of  programs  in 
first  order  sentences  with  fixed  number  of  predefined  function  symbols  and  predicate  symbols.  As  an 
example  let  us  examine  the  process  of  verifying  sorting  programs.  Suppose  a program  S accepts  an 
array  A and  sorts  it  and  output  it  as  an  array  B.  Then,  the  correctness  of  S is  expressed  in  terms  of 
properties  that  elements  of  B are  ordered  in  ascending(or  descending)order  and  B consists  of  all 
elements  of  A and  of  nothing  else.  The  first  property  can  be  stated  as 

VI.  { 1 < I <N-1dB  II ) <B  tl+1) ) . 

But  one  way  to  describe  the  second  property  is  to  state  that  there  is  a one-to-one  mapping  from 
elements  of  A to  elements  of  B.  That  is  the  sentence 

3F.  (VI . del  <Nd1<F  (I )<N) aVI , J.  <1<I<J<NDFU  ) *F (J) ) aVI . (1  < I <NoA (I  ] =B [F  (I ) ] ) ) 
expresses  the  second  property. 

But  previous  verifications  of  sorting  programs,  either  manual  or  automatic,  have  dealt  with 
only  the  first  property.  The  detailed  study  of  FIND  by  Hoare[7]  briefly  explains  that  to  prove  the 
correctness  it  is  necessary  to  show  that  the  second  property  holds,  but  does  not  formally  verify  it.  He 
thought  that  the  assertions  were  not  obvious  and  the  proof  would  be  tedious.  It  is  certainly 
disadvantageous  to  introduce  second  order  sentences  because  they  require  complicated  proof 
proceduies.  But  since  it  is  essential  for  the  automatic  verification  to  prove  the  second  properties 
formally,  we  have  to  invent  a way  to  verify  them. 

The  way  to  avoid  using  second  order  sentences  is  to  extend  the  language  by  introducing  new 
symbols.  There  is  also  another  nice  thing  about  introducing  new  symbols.  To  express  that  array  B is 
a permutation  of  array  A,  we  have  to  employ  a rather  complex  sentence.  It  might  be  as  difficult  to 
understand  what  it  means  as  to  understand  what  the  program  does.  Also  it  is  very  easy  to  introduce 
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error  But  we  can  avoid  complexities  by  writing 

Permutat i on (B, A) . 

In  general  there  are  two  methods  to  introduce  new  symbols  The  first  method  is  to  assume  the 
new  symbol  as  a shorthand  representation  of  a sentence  represented  by  already  defined  symbols.  The 
second  method  is  to  define  symbols  by  axioms  stating  the  properties  of  these  symbols.  For  example, 
after  defining  axioms  of  propositional  calculus  consisting  of  symbols  V and  we  can  introduce 
V’  symbol  as  a shorthand  notation  for  — (As— B) . But  also  we  can  introduce  it  by  axioms, 

AaBoA,  AaBoB  and  AdIBdAaB). 

Assertions  describing  a program  can  be  structured  top-down  by  using  new  symbols.  Their 
meanings  are  tefined  succesively  until  everything  is  well-defined.  An  analogous  concept  can  be 
found  in  programming  We  can  enrich  the  language  and  clarify  the  meaning  by  introducing  new 
symbols  (operations)  These  new  operations  are  defined  either  by  macros  or  by  procedures.  Macros 
define  new  operations  by  using  already  defined  concepts  So  they  do  not  give  more  computation 
power  but  clarify  programs.  Whereas,  procedures  can  define  new  operations  recursively,  so  that  they 
give  new  power. 

Following  this  analogy  to  programming,  we  can  call  the  way  we  write  predicate  sentences  with 
newly  defined  symbols  a structured  way  of  expressing  assertions.  A detailed  study  of  how  to 
introduce  new  symbols  is  in  section  V,  and  also  is  found  in  the  work  by  von  Henke  and 
Luckham[5] 

In  the  case  of  "PermutationlB.A)'',  we  could  define  it  as  the  shorthand  representation  of  ’he 
previous  sentence  But  instead  ve  shall  define  it  by  a set  of  properties  (specifications)  including  the 
following  axiom, 

VA,  I , J.  Permutat  i on  (Exchange  (A,  I , J) , A) , 

where  Exchange  (A,  I , J)  is  a function  mapping  an  array  A into  an  array  resulting  from 
exchanging  l-th  element  and  J-th  element  of  A In  addition,  Permutation  is  an  equivalence  relation, 
so  we  must  include  axioms  for  symmetric,  reflexive  and  transitive  properties 

We  have  replaced  a second  order  statement  by  a relation  which  has  arrays  as  individuals. 
Now,  arrays  are  a second  sort  of  individuals. 
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Thus,  we  need  to  have  a special  semantic  definition  for  array  assignment,  since  arrays  as  well 
as  array  elements  occur  in  assertions. 

NOTATION  <A, 1 ,E>:  An  array  obtained  from  A by  placing  E in  the  i-th 

posi t ion. 

ARRAY  ASSIGNMENT  AXIOM 

P !<A,  I ,E>)  lAtIKEI  P(A). 
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III.  Documentation  Statements  and  Their  Use. 


Introduction  of  new  symbols  is  essential  to  verification  for  ease  of  both  representation  and 
understanding  oi  assertions.  We  allow  users  to  introduce  new  symbols  by  documentation  in  the  form 
of  thiee  simple  kinds  of  statements.  They  are  used  by  the  prover  as  (i)rewriting  rules  to  expand  new 
symbols,  (..)  reduction  strategies  which  state  that  some  expressions  are  reduced  to  others  under 
specified  conditions,  and  (in)goal-subgoal  strategies  which  state  that  certain  well-formed  formu'as  are 
tri.  if  certain  other s are  tiue  We  found  that  they  are  convenient  and  powerful 

From  the  method  of  construction  of  verification  conditions  [5],[6],[7],[9],  all  the  verification 
conditions  are  of  the  form 

A 1a...  a AN  -•  CIa.  . . aCN. 

Since  this  form  of  rep.esentation  is  more  natural  for  understanding  than  disjunctive  normal  form, 
we  retain  this  form  throughout  the  proof.  The  proof  procedure  is  based  on  Gentzen’s  formal  system. 
Thus,  the  validity  of  each  Cl  is  proved  with  the  assumption  AIa.  . .aAN. 

We  Inst  explain  a special  pattern  matching  language,  in  which  all  the  documentation 
statements  are  written. 


1.  Pattern  Matching. 

A pattern  is  a string  of  symbols  which  match  a term  or  a well-formed  formula.  Patterns  consist 
of  pattern  constants  and  pattern  vai tables  A pattern  constant  is  an  identifier  and  a pattern  variable 
is  an  identifier  pieceded  by  a symbol  ”0"  So  ®X  stands  for  a pattern  variable.  Under  the  pattern 
matching  mechanism,  a pattern  constant  matches  only  that  symbol  and  an  unbound  pattern  variable 

matches  any  term  and  is  bound  to  that  term  thereupon.  A bound  pattern  variable  matches  only  the 
correspond  nig  term 

Higher  order  pattern  matching  is  undecidable  m general.  So,  in  this  algorithm  a term  with 
unbound  pattern  variables  is  not  matched  to  a term  with  unbound  pattern  variables  But  still  this 
restricted  matching  algorithm  is  ambiguous.  For  example,  if  a pattern  ®P(@X)  is  matched  to 
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Q (F  ( A ) ) , both  ®P=Q,  <»X =F  ( A ) and  ®P«Q(F(  )),  ®X=A  are  | ernnssible  bindings  This  ambiguity 
is  costly  in  computation  and  should  be  avoided  if  possible.  Thus,  in  this  system  we  employ  an 
incomplete  but  decidable  procedure.  The  matching  is  done  from  the  outer  symbols,  and  from  left  to 
right  among  parameters.  So  ®P(®X)  matches  to  Q(F  (A) ) and  yields  ®P=Q  and  ®X=F  (A). 

The  limited  facility  has  not  caused  much  inconvenience  Since  higher  order  sentences  can  be 
translated  to  first  order  sentences  by  introducing  new  symbols,  all  properties  can  be  expressed  in  first 
order  sentences.  We  are  going  to  see  that  the  pattern  matching  does  not  cause  much  inconvenience 
in  the  case  of  data  structures  either,  Suppose  A and  B are  both  arrays  If  we  match  ®X [®Y)  to 
A (B  [ 1 ] ] , we  get  i*X=A  and  ®Y«BIII  by  our  matching  algorithm.  But  we  do  not  want  the  bindings 
of  <»X=A  [Bill  and  Y=1 , since  A IB  [ ] I is  not  meaningful. 


2.  Rewriting  Rules. 

We  can  use  TEMPLATE  statements  to  introduce  new  symbols  as  shorthand  representations  of 
already  defined  expressions. 

TEMPLATE  <pattern>  « <exprest> i on>. 

Then,  a rewriting  rule  is  created  from  this  statement.  The  system  replaces  every  occurrence  of 
<pattern>  by  ^expressions  according  to  the  rule. 

If  we  want  to  introduce 

Ordered (A, I , J) 
as  a shoithand  repiesentation  of 

VX.  (Ic'XrJ  3 A[X]<A[X+in, 
then  we  can  write 

TEMPI. ATE  Ordered  (®A,  el  ,e>J)  •*  VX . ( 1 <X< J o A [X]  <A  [X+l ] ) . 


} 


3.  Reduction  Strategics. 

Also,  we  can  introduce  new  symbols  by  a set  of  axioms.  These  axioms  can  be  stated  by 
AXIOM  statements  and  COAL  statements  to  produce  reduction  strategies  and  goal-subgoal 
strategics  respectively. 

I 1 

We  can  specify  reduction  strategies  to  simplify  terms  or  well-formed  formulas.  These  strategies 
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are  of  two  kinds,  one  is  an  unconditional  reduction  and  the  other  is  a conditional  reduction. 
Unconditional  reduction  strategies  can  be  fed  into  the  system  by  statements  of  the  form 
AXIOM  <pattern>  « <express i on>. 

The  effect  of  this  strategy  is  to  reduce  any  expression  which  matches  the  <pattern>  to  <expression>. 
The  <expre$sion>  may  have  identifiers  which  appear  in  the  pattern  as  pattern  variables.  They  are 
bound  to  some  forms  by  matching  For  example,  one  can  represent  one  of  the  axioms  of  list  data 
structures, 

VX,  V.  CAR (CONS (X, Y) ) =X, 
as  a simplification  rule, 

AXIOM  CAR (CONS (®X , ®Y) ) «X. 

Then  P (CAR  (CONS  (A, B)  I is  reduced  to  P (A)  since  eX  is  bound  to  A.  Or.l)  universally  quantified 
equality  or  equivalence  relations  can  be  represented  by  this  method. 

Conditional  reduction  strategies  are  specified  to  the  system  by  statements  of  the  form 
AXIOM  IF  <pattern  1>  THEN  <pattern>  » <express i on>. 

The  effect  is  to  reduce  expressions  which  match  <pattern>  to  *2xpression>,  if  <pattern  1>  is 
provable  by  the  system.  Some  pattern  variables  of  the  <pattern  1>  become  bound  when 
<pattern>  is  matched  If  the  <pattern  1>  does  not  include  unbound  pattern  variables,  the 
validity  of  the  sentence 

A1a...aAN  -*  ^pattern  1>, 

is.  checked  by  recursively  activating  the  prover.  If  the  <pattern  1>  includes  unbound  pattern 
variables,  it  is  tested  whether  it  matches  the  antecedent  part  of  the  verification  condition  or  not.  If  it 
matches  then  we  consider  <pattern  1 > to  be  provable  and  otherwise  not  provable. 

For  example, 

vx, v (x<yay<xdx*v) 

is  a valid  statement.  We  want  to  incorporate  this  fact  into  the  system  by  conditional  reduction,  and 
reduce  Y<X  to  X=Y  if  X<Y  holds.  The  statement  we  should  write  is 
AXIOM  IF  X<Y  THEN  ®Y<®X  « X-Y. 

Then  if  we  are  to  reduce  the  statement 
A<BaB<AaP(A1dP(B), 
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the  pattern  matches  to  A<B  to  get  bindings  eY-A  and  tX-B.  Since  there  is  no  unbound  pattern 
variable,  the  system  sets  up  a subgoal  B<A,  and  tries  to  prove 
0£AaP(A)dB<A, 

which  is  valid  So  the  statement  is  reduced  to 
B=AaBcAaP(AIoP(B)  . 

which  will  be  proved  to  be  valid  by  equality  substitution.  As  the  previous  example  shows, 
universally  quantified  theorems  can  be  represented  by  this  statement.  But  also  some  existentially 
quantified  theorems  can  be  ^presented, 

For  example 

VX  GY.  P (X,  YloF  (XI  =G(X) ) 
can  be  represented  by  a statement 

AXIOM  IF  P(X.eY)  THEN  F(aX)  « G(X). 


4.  Coal-Subgoal  Strategies. 

Reduction  strategies  turn  uu:.  to  be  important  components  of  proof.  It  is  a frequently  used 
proof  step  However  we  rely  heavily  on  additional  goal-subgoal  strategies  to  complete  many 
verification  proofs  Verification  conditions  are  of  th^' form 
A1a...aAN  -•  CIa.  . .aCN. 

The  problem  is  to  prove  each  Cl.  If  we  can  prove  BIoCI  and  AIa.  . . aAN-BI  . we  can  deduce 

AIa.  . . aAN-*CI  by  modus  ponens.  Thus,  if  we  have  an  axiom  BIoCI  the  subproblem  we  have  to 
solve  is 

A1  a.  . . aAN  -«  81 . 

This  fact  is  the  motivation  for  employing  goal-subgoal  strategies. 

Statements  to  specify  strategies  are  of  the  form 

GOAL  <pa  t tern>  SUB  <pattern  1>, . . . , <pat tern  n>. 

The  strategy  constructed  from  this  statement  works  as  follows.  If  .:pattern>  matches  to  the 
consequent  Cl . each  .-pattern  j>  is  tested  successively  until  one  of  them  is  provable.  If  <pattern 
j>  has  unbound  patte  n variables  ;;  is  tested  to  determine  whether  it  matches  one  of  the  conjuncts 
of  the  antecedent.  If  <pattern  j>  has  no  unbound  pattern  variables,  a new  subproblem 


A1a...aAN  -*  <patterr,  j> 
is  tested  by  recursively  activating  the  prover. 

For  example,  the  transitivity  of  V u defined  by  an  axiom 
VX.y.  (32. (X<ZaZ<Y)oX<V). 

This  is  represented  by  a goal-subgoal  strategy, 

GOAL  <?X<@Y  SUB  X<sZa®Z<Y. 

In  order  to  prove  a sentence 
A<BaB<CaC<D-A<0 

using  this  goal,  first  t?X<sY  is  matched  to  A<D  to  obtain  @X-A  and  ®Y=D.  Then,  the  antecedent  is 
searched  whether  A<c»Z  matches  one  of  the  conjuncts.  In  this  case  the  search  is  successful  and  yields 
®Z"B.  Thus,  the  remaining  subgoal  is  *Z<0,  which  is  now  B<D.  So  the  new  subproblem 
A<BaB<CaC<D-*B<D 

is  set  up.  This  can  be  proved  by  using  the  same  goal  one  more  time.  These  strategies  can  also 
represent  universally  or  existentially  quantified  theorems 

Everything  which  goal-subgoal  strategies  can  express  can  be  expressed  by  conditional 
reduction  strategies,  since  we  can  express  the  statement 
GOAL  A 3UB  B. 
by  the  statement 

AX  I on  IF  B THEN  A-TRUE. 

However,  the  system  uses  these  statements  in  different  ways.  Conditional  reduction  strategies  are 
used  to  reduce  expressions  ir.  both  the  consequent  and  the  antecedent  of  verification  conditions.  For 
example,  suppose  we  have  a conditional  reduction  strategy  specified  by 
IF  A1  THEN  A2  « C. 

then 

A1aA2  - B 
is  reduced  to 

AIaC  -»  B, 

and 

A1  A2 
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is  reduced  to 
A1  - C. 

Coal  subgoal  strategies  are  used  only  to  make  reduction  in  the  consequent 

The  reason  'vhy  we  have  goal-subgoal  strategies  is  that  because  they  are  more  efficient  than 
conditional  reduction  strategies  Most  of  the  time  we  are  interested  in  proving  the  validity  of  a 
statement  of  the  form  A -*  B Thus,  we  are  interested  in  how  B can  be  proved  from  A Also  the 
antecedent  A is  usually  more  complex  than  the  consequent  B because  the  antecedent  contains  all  the 
information  about  data  structures  and  control  structures.  So  the  goal-subgoal  strategy  gains  efficiency 
by  limiting  the  reduction  to  the  consequent  part. 
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IV.  Implementation. 


This  verification  system  is  built  upon  the  PASCAL  verification  condition  generator 
VCGEN[9).  First,  files  of  the  user’s  Axioms  and  Goal  starements  are  input  to  the  system,  and  the 
corresponding  reduction  rules  and  goal-subgoaling  strategies  are  constructed.  This  yields  a special 
reduction  and  proof  system  for  the  data  structures  and  functions  described  bv  these  statements.  The 
system  is  extensible,  since  strategies  can  be  added  to  handle  larger  domain  of  programs.  Next,  a file 
containing  the  program  with  assertions  is  processed  by  VCGEN  to  produce  verification  conditions. 
These  are  passed  to  the  proving  system.  The  proving  system  is  divided  into  several  functions.  They 
are  (i)the  arithmetic  simplifier,  (ii)the  equality  substitution  algorithm,  (iii)the  truth  value  substitution 
algorithm,  (iv)the  unconditional  simplifier,  (v)the  conditional  simplifier,  (vi)the  goal-subgoaler,  and 
(vii)the  logic  symbol  elimination  algorithm, 

Gentzen-type  inference  rule  notations  are  used  to  express  the  effects  of  functions. 

NOTATION  : A B 


C 

.where  C is  the  goal  and  A and  B are  subgoals  bc  :h  of  which 
must  be  proved  in  order  to  prove  C. 

(i)  The  arithmetic  simplifier  transforms  arithmetic  expressions  into  standard  representations,  and 
simplifies  them  The  standard  representation  is  a sum  of  products  of  simple  factors.  A simple  factor 
is  an  arithmetic  expression  which  is  neither  a sum  nor  a product  Then  each  product  consists  of  a 
coefficients  not  equal  to  I)  followed  by  simple  factors  w.iich  are  ordered  by  system-defined 
orderings.  And  the  sum  consists  of  the  ordered  products  followed  by  a constant(if  not  equal  to  0). 

(11)  The  equality  substitution  algorithm  handles  verification  conditions  of  the  form 
Aa  (a=(3)  aB  -«  C 
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CASE  I Suppose  one  of  a or  0 is  a variable.  Without  loss  of  generality  we  can 
suppose  a to  be  a variable.  If  /3  is  a constant,  a variable,  or  an 
expression  with  a not  appearing  free,  then  all  the  occurrences  of  a in  A,  B 
and  C are  replaced  by  0. 

CASE  2.  Suppose  one  of  a or  0 is  a variable.  Without  loss  of  generality  we  suppose 
« to  be  a variable.  If  (3  is  an  expression  containing  a.  then  all  the 
occurrences  of  0 in  A,  £ and  C are  replaced  by  a. 

CASE  3.  If  o and  0 do  not  satisfy  cases  I or  2 then  all  the  occurrences  of  a are 

v 

replaced  by  0. 


(in)  The  truth  value  subMitution  algorithm  evaluates  logical  sentences.  The  grand  rule  of  the  truth 
value  substitution  is 


Tsubst  (A.al/va/vTsubst  (B.a)  -»  TsubstIC.o) 


AaoaB  -*  C, 


where  both  A and  B may  be  null  expressions  and  a is  not  a conjunction.  Tsubst  (A,  o)  is  defined  by 
the  following  set  of  functions,  which  give  the  value  of  A assuming  a is  true. 

Tsubst  (A, a)  = i f a is  of  the  form  -0  then  Fsubst(A.fJ)  else 
if  a is  of  the  form  |3a(  then 

Tsubst (Tsubst (A, 0),<)  else 

replace  all  occurences  of  a in  A by  "True". 

Fsubst (A,0)  = i f 0 is  of  the  form  -a  then  Tsubst(A.a)  else 
iff)  is  of  the  form  coc  then 

Fsubst (Tsubst (A, o) ,( ) else 
i f <3  is  of  the  form  avc  then 

Fsubst (Fsubst (A, a) , c ) else 
replace  all  occurences  of  0 in  A by  "False". 
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(iv)  The  unconditional  simplifier  applies  all  unconditional  reduction  strategies. 

The  algorithm  works  from  inside  out.  Thus  if  we  want  to  simplify 

R (PI PN) , 

first  all  PI PN  are  simplified  to  Q1 , . . . ,QN  respectively.  Then  R (Q1 QN)  is  simplified 

(v)  The  conditional  simplifier  applies  all  conditional  reduction  strategies.  The  treatment  is  different 
according  to  the  position  of  the  expression-in  the  antecedent  or  consequent  of  the  verification 
condition  Suppose  a conditional : eduction  strategy  is  given  to  the  system  by  a statement 

AX  I on  IF  <pattern  1>  THEN  <pattern>  <expreseion>, 
and  the  verification  condition  to  be  proved  is 
AlA.../\An  -<  C1a...aCN. 

If  <pattern>  matches  a subexpression  of  Cl,  then 
A1a...aAH  -*  <pattern  1> 
becomes  the  subproblem  to  be  solved. 

Next,  suppose  --pattern>  matches  a subexpression  of  the  antecedent  say  AI  Then 
AIa.  . . aAI -IaAI  +1a.  . . aAM  <pattern  1> 

becomes  the  subpioblem  to  be  solved  If  it  is  valid  then  the  replacement  takes  place  as  before. 

The  validity  is  checked  by  recursively  activating  the  prover.  So  this  is  a depth  first  search, 
and  it  might  go  into  a wrong  direction  infinitely.  So  the  system  allows  the  user  to  specify  the  search 
depth  If  the  search  reaches  this  limit,  it  is  backed  up  until  the  last  decision  point. 

(vi)  The  gnal-subgnaler  incorporates  all  goal-subgoal  strategies.  Suppose  a goal-subgoal  strategy  is 
given  to  the  system  by  a statement 

GOAL  <patterr>  SUB  <pattern  1>, . , , , <pat tern  N>, 
and  the  verification  condition  to  be  proved  is 
A1a...aAN  -»  Cl  a.  ..aCM. 

If  Cl  matches  to  < r ci t tern>,  then 

AIa..  . a AN  - --pattern  1>  A1a...aAN  -*  <pattern  N> 

are  set  up  as  a disjunction  of  subproblems  successively,  until  one  of  them  is  proved  to  be  "True".  If 


! 


14 


I 

the  proof  is  successful  the  problem  is  reduced  to 
A1a...aAN  - Cl  a. . . aCI -1aC!+1a. . . aCM. 

( v i i ) The  logic  symbol  elimination  algorithm  works  on  elimination  of  logic  symbols  V and  "d" 
from  the  antecedent  of  the  statement.  Their  functions  are  explained  by  inference  rules  as  shown 

9 

below 

AaoaB  -«  C Aa|3aB  -*  C 

(v-e I i mi nat i on)  

t Aa(c»v0IaB  •*  C 

Aa-«aB  C Aa(3aB  -*  C 

(D-e I i mi nat ion)  

Aa(oo<3)aB  ■*  C 

These  seven  functions  are  applied  serially.  But  the  simplification  may  be  applicable  after 
reduction  by  goal-subgoalmg.  So  these  functions  are  iterated  several  times.  The  user  can  specify  the 
number  of  iterations 
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The  overall  structure  of  the  prover  is  as  follows. 


Prover 


I 


Repeat 
2 or  3 
T i mes 


i 

I I 

| Arithmetic  | 
j Simplifier 


I Equality 
j Substitution 
1 Algorithm 


I 


Truth  Value 
| Substitution  : 

| Algorithm  | 


i 

I I 

| Unconditional 
| S i nip  I i f i er  ! 


I 

4 

I I 

| Conditional  Simplifier  | 

| (Recursively  activates  the  | 
| prover)  j 


I 

i 

I 

| Goa  I -Subgoa I er 
| (Recursively  activates  the 
| prover) 


I 

i 


I f v or 
3 exists 


4 

EXIT 


Logic 
Symbo I 

Elimination  | 
A I gor i thm 


4_ 

Prover 


EXIT 


Depth  of  recursive  search 
has  a fixed  bound  which 
can  be  altered  before 
running  the  system. 
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V.  Application  to  Sorting  Programs 


As  the  first  example,  the  verification  of  a simple  sorting  program  which  successively  finds  the 
largest  element  among  the  unordered  part  of  the  array  and  puts  it  at  the  end  of  the  ordered  part  is 
considered  This  progiam  is  the  one  considered  by  King[IOj.  The  program  with  input  i..id  output 
conditions  and  an  assertions  about  loop  invariants  is  shown  below.  This  is  the  actual  input  form  for 
the  system. 


PASCAL 

TYPE  SARRAY-ARRAYllsU  OF  INTEGER; 

PROCEDURE  EXCHANGESORT  (VAR  A: SARRAY-.L:  INTEGER)  { 

INITIAL  A=A0; 

ENTRY  1<L: 

EXIT  I CoOr tedarrayof (A, A0) ; 

VAR  X: REAL; VAR  K. I .Jt INTEGER; 

BEGIN 

I-L; 

INVARIANT  Permutat  i on  (A,  A0)  /vOrderod  (A,  I +1 . L)  A.Par  t i t ioned(A,  I )/\(I>l) 
UHILE  I>1  DO 
BEGIN 

J-2»X«-Atl)  ;K-lj 

INVARIANT  Biggest  (A,  J-1,10  A(lsK)/x(K<J-l  )a(J-1<I  )/x(X-A  IK3 ) 
UHILE  J<I  DO 
BEGIN 

IF  X>A  [J]  THEN  GOTO  3; 

X«-A  ( J] ; 

K-J; 

3:  J*-J+l 
ENO; 

A IK] -ACI] ; 

M I ] *-X ; 

I-I-l 

ENO; 

END;. ; 


We  are  going  to  explain  the  intended  interpretation  of  symbols  and  the  set  of  axioms  defining 
» them  When  we  express  axioms,  we  have  to  be  careful  not  to  introduce  an  inconsistent  set.  Since  a 

consistent  s>’t  of  axioms  has  a mock!,  we  can  avoid  introducing  an  inconsistent  set  by  defining  an 
interpretation  and  justifying  axioms  by  showing  validity  relative  to  that  interpretation. 

Inputs  to  this  program  are  an  array  A and  an  integer  parameter  L defining  the  upper  bound 
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of  the  array  Since  we  have  an  array  with  at  least  one  element,  the  input  condition  is 

I .1. 

The  out | Hit  condition  is 

I or  tedorr  njof  (A.  A0)  , 

where  A0  is  the  inu.al  value  of  A at  the  entrance  to  the  procedure  and  I ssortedarrayof  (A,  A0) 
means  that  A0  is  soiled  to  become  A. 

I Issortedarrayof(A.B) 

In  order  A to  be  a sorted  array  of  B,  it  must  be  ordered  in  ascending  order  and  it  must  consist 
of  all  the  elements  of  B and  nothing  else.  We  describe  the  two  facts  by  introducing  additional 
predicates.  The  axiom  is, 

Ordered  (A,  l.L)  APermutat  ionfA.Blal  ssortedarrayof  (A.B). 

2.  OrderecKA.J.L) 

The  interpietation  of  OrderecKA.J.L)  is  that  the  subarray  A[J:L]  is  ascendingly  ordered. 

Thus, 

OrderecKA.J.L)  VX.  (JiXsL-lsA  [X]  $A  IX+1) ) , 
where  *-  means  that  the  left-hand  side  is  the  shorthand  notation  of  the  right-hand  side. 

Three  axioms  are  necessary  to  specify  the  predicate.  The  first  one  specifies  the  boundary  case 
when  J is  equal  to  L*l  Then  there  is  no  element  in  the  subarray  and  an  empty  array  is  ordered.  So 
Ordered (A, L+l , L ) 

is  true 

The  next  axiom  is  an  induction  axiom  which  state  that  if  the  property  holds  for  a smaller 
subairay  it  holds  for  a larger  subauay  under  certain  conditions  It  is 
OrderedfA,  J.DaPoi- t i t i onecKA, J-l ) ^Ordered (A, J-l , l)  . 

This  axiom  enables  the  property  to  be  extended  to  the  whole  array  The  meaning  of 
Parti  tioned(A.J-l)  is  that  the  array  A is  partitioned  between  J-l  and  J such  that  all  the 
elements  in  the  upper  half  are  larger  than  or  equal  to  all  the  elements  in  the  lower  half 

The  last  axiom  states  that  changing  elements  outside  of  the  concerned  subarray  will  not 
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change  the  property  The  operation  on  the  array  in  this  program  is  Exchange  {A,  I , J) , which  is  an 
array  obtained  by  exchanging  I-th  and  J-th  element  of  A,  thus 
Or dered (A, J, L) a( I <J) a(K<J) APar  t i t i oned (A,  J) 
oOr dered  (Exchange (A, I ,K) , J,L) . 

J 3 Partitioned(AJ). 

The  meaning  of  this  predicate  has  been  stated  before  as 
Parti tioned(A.J)  *-  VX.Y.  ( 1 <X<J<Y<L2A  [X]  <A  [Yl ) . 

There  are  also  three  axioms  to  specify  this  predicate  with  the  same  nature  as  those  of 
Ordered(A,J,L). 

When  J is  equal  to  L.  there  is  no  element  in  the  upper  half  of  the  array,  so  the  property 
holds  Thus,  the  boundary  property  is 
Par  t i t i oned (A,L) . 

The  axiom  about  induction  is 

Par  1 1 t i oned  (A,  J)  aB  icjgest  (A,  J,  J)  oPart  i t i oned  (A,  J-l) . 

Since  Biggest  (A,  J,  J)  means  that  A[J]  is  the  biggest  element  among  elements  of  the  subarray 
A[l  J],  there  is  a separation  between  J-l  and  J. 

Also  if  we  exchange  elements  of  the  lower  half  of  the  array  the  property  remains  valid.  So, 

Par  t i t i oned  (A,  J)  a(I  <J)  a(K<J)  oPar  t i t i or, ed (Exchange  (A,  1 ,K) , J) . 

4 Biggest(A.I.J). 

The  meaning  of  this  predicate  is  that,  A[J]  is  the  biggest  element  among  the  elements  of  the 
subarray  A[  1 .1  ] 

The  axiom  of  the  boundary  case  states  when  I is  equal  to  I.  Then,  'here  is  one  element  in  the 
subarray  winch  is  the  biggest  element.  Thus, 

B i cjgcst  (A,  1 , 1 1 . 

The  axioms  about  the  induction  are 
B 1 ggest  (A,  I , J)  a(A  [J]  >A  [I  +1]  ) r>B i gges t (A,  1+1 , J) 

and 
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B i gges  t (A, 1 , J)  a (A  1 1 +1  ] ;A  [J] ) dB i gges t (A, I+? , I +1  > . 

The  next  axiom  states  that  if  we  move  the  biggest  element  by  Exchange,  then  the  place  of  the 
biggest  element  changes  The  objective  of  the  program  is  to  move  the  biggest  element  of  subanay 
A[l  I]  to  A[i]  Thus,  the  axiom 

B i gges  t (A,  I , J)oBi ggest  (Exchange  (A,  J,  I ) , I , I ) , 

* is  sufficient 

5.  Permutation(A.B) 

f The  meaning  is  that  the  array  A is  a permutation  of  the  array  B. 

If  we  exchange  elements  of  an  array,  this  is  a permutation  of  the  array. 

Thus. 

Permutation  (Exchange (A,  I , J) , A) 
is  an  axiom.  Also  Permutat  ion  (A.B)  is  an  equivalence  relation,  so 
Permutat ion (A, A) , and 
Permutat  i on  (A,  B)  oPermutat  ion(B,  A) , and 
Permutat i on (A, B) APermutat i on (B, C) oPermutat i on ( A , C > , 
are  axioms  Since  any  permutation  can  be  obtained  by  repeated  operations  of  Exchange,  these  are 
sufficient  axioms  to  prove  the  property. 

6.  Exchangr(A,i,J) 

The  axiom  sufficient  to  represent  that  any  N-place  cycle  is  decomposable  into  N Exchanges  is 
Y»A  [ J]  ck^A,  1 , Y>,  J,  X> -Exchange  ( < A , 1 ,X>,  I , J) . 
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The  following  listing  is  the  goalfile  which  is  supplied  to  the  system  along  with  the  program. 
This  shows  how  simplification  and  goal-subgoaling  rules  are  selected  to  represent  axioms. 


GOALFILE 

GOAL  I ssor  tedarrayof («A, ®B)  SUB  Permutat i on(A,B) AOrdered (A, 1 ,L)  ? 

AXIOM  Ordered (A, L+l .L) -TRUE; 

GOAL  Or  der  ed  (<?A,  ®P1 , L ) SUB  Ordered  (A,  Pl+1  ,L)  APar  t i t i oned  (A,  PI ) ; 

GOAL  Or  der  ed  (Exchange  (®A,  ®P1,  ®P2)  ,®P3,L) 

SUB  (Pl<n3)A(P2<P3)A0rdered(A,P3,L) APart i t i oned (A, P3) j 

AXIOM  Par  t i t ioned(A,L)**TRUE; 

GOAL  Parti tionedleA, ®P1)  SUB  Biggest  (A.P1+1  ,P1+1 ) APar  t i t i oned  (A.  Pl+1 ) • 
GOAL  Par t i t i oned (Exchange (®A, ©PI ,©P2)  ,©P3) 

SUB  (PI <P3 ) a (P2<P3) APar t i t ioned ( A , P3 ) s 

AXIOM  Biggest  (A,  MI-TRUE: 

GOAL  Biggest  (Exchange (®A, ©PI , ®P2) ,©P2,©P2)  SUB  Biggest (A, P2, PI)  ; 

GOAL  Biggest (©A, ®P2, ©PI)  SUB  (A  [PI ] >A  IP2) ) aB i ggest (A, P2-1 , Pi ) ; 

GOAL  B i ggest (®A,eP2,eP2)  SUB  (A [P2 1 >A CPI ] ) aB i ggest (A, P2-1 , ©PI ) ; 

AXIOM  Permutat ion (©I , ©I )-TRUE; 

AXIOM  Per  mu  tat i on (Exchange  (®Il,eI2,eI3),eIl) -TRUE; 

GOAL  Permutation  (@A, ®B)  SUB  Permutat  i on  (A,  ®C)  APermuta  t i on  («*C, B) : 

AXIOM  IF  Y=P1 (P3I  THEN 

<<®P1 ,@P2, ©Y>, ®P3, ®P4>-Exchange (<P1 ,P2,P4>,P2,P3) t 

GOAL  0 < ®P1+©P2  SUB  (0<P1)a(0<P2>; 

GOAL  ®P1 <®P2  SUB(P1<®P3)a(#P3<P2) ; 

AXIOM  ©P1<®P2  - P1+1<P2; 
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This  is  the  output  of  computation  which  verified  the  program,  in  19  seconds. 


THERE  ARE  4 VERIFICATION  CONDITIONS 

K ) 

(1  <L 
-♦ 

Permutat i on (A,  A)  £ 

Ordered (A, L+l , L)  & 

Par  t i t i oned  (A, L)  £ 

1 <1  £ 

(-1<I#1  £ 

Permutat i on (A#l , A’  £ 

OrderedlAA  !#1+1,L)  £ 

Par t i t i oned (A#l , I#1 ) £ 

1 < 1 #1 

-» 

I ssor  tedarrayof (A#l , A) ) ) 

U 2 
(1  < I £ 

Per muta t i on (A, A0)  £ 

Ordered (A, I +1 , L)  £ 

Par  t i t i oned (A,  I ) £ 

1<1 

Biggest (A.2-1, 1)  £ 

1<1  £ 

1 -2-1  £ 

2-1 <1  £ 

A II  ] =A  (1  ] £ 

(-J03<I  £ 

Biggest (A, J#3-1,K#3)  £ 

1<KU3  £ 

K#3<J#3-1  £ 

J#3-1<I  £ 

X#3-=A[K#31 

-♦ 

Permutat i on (<<A,K#3, A II ]>,  i , X«3^  A0)  £ 
Ordered  (<<-A,  K#3,  A ( I j >,  1 , X#3>,  I -1  + 1 ,L)  £ 
Par  t i t i oned (<<A, K#3,  A II 1 >,  I ,X#3>,  1 -1 ) £ 
1 < I - 1 ) ) 


tt  3 

I-'AIJJsX  £ 

Jsl  £ 

Biggest (A,J-1 ,K)  £ 
1<K  £ 

K<  J-l  £ 

J-lsI  £ 
x=a  no 

-♦ 

B i qges t (A, J+l -1 , J)  £ 
1<J  £ 

J<J+1-1  £ 

J+l-lsI  £ 

A I J] =A  I J]  ) 


r 


n 4 

(AIJJsX  & 

. J<I  & 

* Biggest (A, J-1,K)  & 

liK  & 

K<  J-l  & 

J-l  - 1 & 

K=A [K] 

-* 

Biggest  (A, J+l-l.K)  & 
f 1<U 

K<J+1 -1  & 

J+1-1<I  & 

X-AIK]  ) 

AFTER  SOME  S I MPL I F 1 CAT  I ON , YOU  CAN  GET 

n 1 

TRUE 

U 2 
TRUE 

U 3 
TRUE 

n 4 
TRUE 

***** 

TinE:  19  CPU  SECS,  21  REAL  SECS 

778  STATE  STACK  CELLS  USED 
i3G  TOKEN  STACK  CELLS  USED 

958  DECISION  POINTS 
1947  FAILURES 
3 SECS  GC  TIME 
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Here  is  another  sorting  program  which  has  been  verified.  This  is  Floyd’s  TREE  SORT 
program[4]  with  assertion'  „nd  the  goalfile.  This  is  verified  with  142  seconds  of  computation  time. 
Most  of  the  previously  defined  predicates  are  used  in  the  goalfile  with  the  same  set  of  axioms.  Thus 
there  is  a possibility  of  forming  a standard  set  of  symbols  and  axioms. 


PASCAL 


PROCEDURE  TREES0RT3 (VAR  A:  TREEARRAY;L: INTEGER) ; 

INITIAL  A=A0; 

ENTRY  L >2 : 

EXIT  I ssor tedarrayof (A,  A0) ; 

PROCEDURE  SIFTUP (VAR  Ms  REAL  ; 1 ,N: INTEGER)  • 

INITIAL  ! =1 0. n=f10; 

ENTRY  Treeordered (M, I +1 ,N) a ( I >1 ) ; 

EX  I T Treeordered (M, I0,N) APermutat ion (M,M0) a 

Unchanged  (M,  M0, 1 , 1 0-1 ) AUnchangecJ  (M, M0,  N+l , L) ; 

VAR  COPYsREAL:  J: INTEGER: 


BEGIN 

10: 


COPY  - fllll; 

J «-  2 * I; 

IF  J < N THEN 
BEGIN 

IF  J < N THEN  IF  MIJ+1] 
IF  MtJ}  > COPY  THEN 
BEGIN 


> MU)  THEN  J «-  J+l; 


END: 


Mill 


MUI  - M[J], 

ASSERT  Treeordered (M,  I0,N) a(C0PY<M  [J  DI V 2)}  a 
Permutat  ionUM,  J,COPY>,M0)  a 
Unchanged (M,M0,1, 1 0-1) a 
Unchanged (M,M0, N+l ,L)a 
(N>J)a(J>I0)a(I0>1); 

I *-  J; 

GO  TO  10 
END; 

END; 

COPY; 


VAR  WORK: REAL;  I: INTEGER; 


BEGIN 

I -L  DI V 2; 

INVARIANT  Treeordered (A, 1 +1 , L) a ( I >1 ) APermutat ion  (A.  A0) 

WHILE  I >2  DO 

BEGIN  SIFTUP  (A,  I ,L) ; M-l  END; 

I *-L ; 

INVARIANT  Ordered (A, I +1 , L ) APart i t ionedfA,  I ) ATreeordered  (A.  2.  I ) 
a( I >1 ) APermutat i on (A, A0) 

WHILE  I >2  00 
BEGIN 

SIFTUP (A.l, I); 

WORK-AU);  A 1 1 J «-A [ 1 1 ; A [I] -WORK; 

I-I-l 

END 

END;.; 
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GOALFILE 

GOAL  1 ssortedarrayof (®A,®B)  SUB  Permutat ion(A,B) n0rdered(A, 1 .LI  t 

AXIOM  Permutat ion(eI ,«I I-TRUE; 

AXIOM  Permutat ion(Exchange(®ll,«I2,®I3) ,®I1)-TRUE; 

GOAL  Permutat ion(«A,®B)  SUB  Permutat ion(A,®C) APermutat ion («C,B) i 

AXIOM  IF  Y.P1 (P2I 

THEN  «®P1  ,r-P2,®Y>,®P3,ePA>-Exchange(<Pl,P2,P4>,P2,P3)  i 
AXIOM  Ordered(A.L+l. LI-TRUE; 

GOAL  Or  der  ed  ( <?A , ePl , L I SUB  0rdered(A,Pl+l ,L) APart i t ioned (A, PI ) ; 
GOAL  Ordered (Exchange (®A,ePl,eP2) ,®P3,L) 

SUB  Ordered (A, P3.L) a(P1<P3) a(P2<P3) nPar t i t ioned(A,P3) ; 
SUB  Ordered(®Y,P,L) nUnchanged (X . Y , ®Q , L ) a ( QsP+1 ) ; 

AXIOM  Unchanged (®X,®X, ® I ,@J)-TRUE; 

GOAL  Unchanged (<®X,® I ,e  J>,eY,®K,eL) 

SUB  Unchanged (X, Y.K.L) AOutof range (K,  I ,L) ; 

GOAL  Biggest (®A,®1 ,1)  SUB  Treeordered (A,  1 , 1 ) ; 

GOAL  Biggest(Exchange(®A.eI,®J),«J,«J)  SUB  Biggest (A, J, I ) ; 

GOAL  Treeordered (@P1 ,®P2,®P3) 

SUB  Treeordered (PI, P2+1.P3) 

nBiggerthanchi Idren (PI .P3.P2.P1 IP2J I ; 

GOAL  Treeordered(<eM,®J,®K>,®I ,®N) 

SUB  Treeordered (M, I ,N)AOutofrange(I , J.N) ; 

GOAL  Treeordered  (<®M,  ®I  ,®N)  SUB  N<2*I; 

GOAL  Treeordered(<i?M,8j,®K>,®I  ,<?N) 

SUB  Treeordered (M,  I ,N)  aSitsI  I er thanparent  (M,  I , J,K)  a 
Bigger  thanchi  IdrenIM.N,  J,tO  ; 

GOAL  Treeordered(Exchange(®A,eI  ,ej)  ,®K,i?L) 

SUB  Treeordered (A, ®M,eN  I a(X=I+1)a(L-J-1)a(M<K)a(N>L) ; 

GOAL  Outo(range(«l  ,i»J,i?N)  SUB  J<I  , N<J; 

GOAL  Smal I er thanparent (®M,®I ,®J,eK) 

SUB  J<:*I,(K.t1[J  01 V 2I),K-M[2*JJ.K«M[2*J+1]; 

GOAL  Biggerthanchi ldren(@M,@N,®J,elO 

SUB  N<2*J  , (N=2*J) a(K>M  INI ) . (K>M(2*JI I a(K>M  I2*J+1] ) ; 


AXIOM  Part itioned(A. LI-TRUE: 

GOAL  Parti tioned(»A.®Pl)  SUB  Par  t i t ioned (A.Pl+l) nBiggest (A.Pl+l ,P1+1) ; 
GOAL  Par t i t ioned (Exchange (eA.ePl ,®P2) ,®P3) 

SUB  Part i t ioned(A,P3)A(Pl<P3)A(P2sP3) ; 

GOAL  Par  t i t i oned  (®X,  i?P I 

SUB  Part i t ioned(®Y,P)AUnchanged(X, Y,®Q,L)a(QsP+1) j 

AXIOM  (eK#eL)DIV  ®K  - L; 

AXIOM  eK*(®L  01 V ®K>  - L: 

AXIOM  IF  M+1<K  THEN  ((<?K*©L)+eM  IDIV  &K  - L; 

GOAL  p»P1  < ®P2  01 V r-P3  SUB  P1*P3  < P2; 

GOAL  0 < ®P1+(?P2  SUB  (0;P1)a(0<P2)  ; 

GOAL  ®Pl;eP2  SUB(Pl<eP3)A(eP3<P2) ; 

AXIOM  ®P1^®P2  - Pl+1 ;P2; 


I 


This  is  Hoare's  FIND  program[7]  and  goalfiie.  This  program  is  verified  with  53  seconds  of 


computation  time 


PASCAL 

PROCEDURE  P IND (VAR  A : F ARRAY ; F . K : INTEGER) ; 

INITIAL  A^A0; 

1 ENTFiY  l<F(iFsK; 

EXI  T PARTI  1 1 ONEO (A, F) ''PERMUTATION (A,  A0); 

VAR  n,K:  INTEGER; VAR  R: HEAL; 

BEGIN 
n*-l  i N-K; 

INVARIANT  FI  INVAR  I ANT (A  M) aN I NVARI ANT  <A,N) aPERNUTATION (A,  A0) 
a (McF) a (F<N) 

WHILE  n < N DO 
BEGIN 

R~A(F);  I -M;  J-N; 

INVARIANT  M1NVARIANT (A.N) aNINVARIANT (A,N)aI  INVARIANT (A, I ,R) 
aJ  I NVARI  ANT  (A.  J,  R)  aPERMUTAT  I ON  (A.  A0)  /\(li^I  >a(N>Jj 
WHILE  i<J  DO 
BEGIN 

INVARIANT  I INVARIANT (A. I , R ) a (H< I ) 

WHILE  All]  R 00  1-  I +1 ; 

I NVARI ANT  JINVAR I ANT (A , J , R) a (N> J) 

WHILE  R < A { J]  00  J - J-l ; 

IF  I < J THEN 
BEGIN 

W-AUI;  A [ 1 1 *-A  C J] ; AIJI4J; 

l-I+li  J«- J — 1 

END 

END; 

IF  F <J  THEN  N-J  ELSE  IF  IsF  THEN  M-I  ELSE  GO  TO  10 
END; 

10: 

END; . ; 


GOALFILE 

AXIOM  PERflUTAT  1 ON  ( * I . ei ) -TRUE ; 

AXIOM  PERflUTAT  I ON  (EXCHANGE  (ei  1 , ® 1 2, ®1 3) , el  1 > -TRUE ; 

GOAL  PERMUTATION (eA.eB)  SUB  PERMUTATIONS, ©C) aPEPMUTATION  (eC.B) ; 

AXIOM  IF  Y=P1  (P2I 

THEN  <<©P1  , ©P2,eY>, eP3,®P4>-Exchange (<P1  , P2,P4>,P2,P3)  t 

GOAL  PARTI TI0NE0 (©A,©! ) SUB  MINVARI  ANT  (A, I ) aNINVARI  ANT (A , I ) ; 

AXIOM  MINVARI ANT (©A, 1 ) » TRUE;  • 

GOAL  MINVARI  ANT  (©A,  <?M) 

SUB  1 1 NVARI  ANT  (A,  ®I , ®X)  aJINVARI  ANT  (A,  ®J,  «X)  a ( I £ J+l  )a(I*M)a  (M*J)  ; 
GOAL  M I NVARI ANT (EXCHANGE (®A.® I, ®J),eM)  SUB  MINVARI ANT (A, M) a ( I sM)  a ( J*M) 
AXIOM  NINVARIANT (©A.K)  - TRUE; 

GOAL  NINVARIANT (©A.eN) 

SUB  I INVARIANT  (A,  el , ®X)  aJINVARI  ANT  (A, eJ, eX) a ( I £j+l ) a ( I iN) a (N£J) ; 
GOAL  NINVARIANT (EXCHANGE <©A, ®I , eJ) ,eN>  SUB  NINVARIANT (A, N) a( I <N) a(J<N)  ; 


26 


GOAL 

GOAL 

GOAL 

GOAL 

GOAL 

GOAL 


SUB  ^INVARIANT  (A,  1 )a(J^I  ) ; 

SUB  I INVARIANT (A, I , R) a ( I <J) a(R>A [J] ) • 

SUB  N INVARIANT  (A,  IIaIJsI  ) • 

SUB  JINVARI ANT (A. J,R)a(I<J)a(R<A[I]  ) : 


AVION  ir'A<('>B  ►*  A+l <B: 

GOAL  &Pl<ioP2  SUB(Pl£i?P3)/\(oP3<P2) ; 
AKION  IF  P1<P2  THEN  <?P2£uP1  « P1-P2; 


Von  Henke  and  Luckham  have  verified  other  programs  using  this  system.  Also  a detailed 
study  of  the  verification  method  has  been  performed. [5] 
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